Defining Terms: What Is a Directory Service?

Here is one definition for a directory service:

A directory service is a customizable information store that functions as a single point from which users can locate resources and services distributed throughout the network. This customizable information store also gives administrators a single point for managing its objects and their attributes. Although this information store appears as a single point to the users of the network, it is actually most often stored in a distributed form.

A genuine directory service is much more than a database technology that stores users and groups. This is a really important point — one that you should keep in mind as you review for the test.

The database that forms a directory service is not designed for transactional data. (For this reason, many people prefer to use the phrase “information store” in their definitions of a directory service.) The data stored in your directory service should be fairly stable and should change only as frequently as the objects in your network. For example, the data that forms a directory service changes much less frequently than a sales database. Data that changes very frequently would be stored in another type of database on the network. (Of course, Microsoft would suggest Access or SQL Server for storing your transactional data.)

What all good directory services should offer

Microsoft claimed to have a directory service in previous Windows NT versions, but it fell quite short of most industry standards. To be considered a genuine enterprise directory service, a system should meet the following criteria:

If necessary, the information store can be distributed among many different physical locations. However, for the purposes of searches and administration, it appears as a single database.

The information store can accommodate new types of objects, as necessary, to meet the network’s changing needs.

Users and administrators can easily search for information from various locations throughout the network.

The system has no dependency upon physical location.

The information store is accessible from many different operating systems. Typically, this is possible thanks to nonproprietary communication standards utilized in the system.

Does Windows 2000 meet these criteria with Active Directory Services? You bet it does!

Many Windows 2000 Servers host Active Directory Services. You create these machines by installing the information store services and promoting the computer to the role of domain controller. These domain controllers exist, strategically placed by you, the network administrator, across the enterprise network. Even though they are distributed, network users access Active Directory as if it resides on a single server. In fact, network users are shielded completely from the actual complexities of the system — and they like it that way!

Active Directory Services rely on a “blueprint” that defines the types of objects stored in the information store. The official term for this “blueprint” in Active Directory is the schema. The great news for you as an administrator is that this schema is extensible — a fancy way of saying that you (or other authorized personnel) can add objects and their attributes to the schema to define additional components in your network. In fact, just about any information you want to store in Active Directory can be accommodated. For example, you may want to include Employee ID Number information for each user account in your Active Directory information store. Although the schema already has dozens of attributes for users, no such attribute exists, but it is one you should add! Just remember that you do not store transactional information here — leave that to a full-fledged database system.

Active Directory offers robust search capabilities for users of the network. You can search for any object stored in the directory, using any of the object’s attributes in the search criteria. Following the previous example, you could search for all users in the network whose Employee ID Numbers are greater than a certain value. This is all so simple and flexible thanks to a special service in ADS called the global catalog. This special subset of the information store resides on select domain controllers called global catalog servers. These servers store the portion of the full information store that are most likely to be used in searches. They are very efficient at fulfilling the requests of network users (including administrators). Global catalog servers locate resources quickly and efficiently, regardless of their actual location in the network.

Thanks to a complex and robust system for replication of information store information throughout the distributed system, no reliance on physical location exists within Active Directory Services. In Windows 2000, you actually define the physical topology of your network in the directory service, so domain controllers can notify themselves effectively and efficiently of changes to the information.

Microsoft made sure to adhere to nonproprietary technologies in the design of Active Directory. This design makes integration with many other computer systems possible and even encouraged. ADS coexists well with Novell networks, UNIX networks, and many others.

Other directory services

Active Directory is not the only directory service in town. Novell has Novell Directory Services (NDS), or Edirectory, as Novell likes to call it these days. Banyan has StreetTalk, and we are bound to see more from Sun Microsystems, Netscape, and others.

The key to the success of these competing directory services will depend on support for LDAP (Lightweight Directory Access Protocol). LDAP specifies a standard, vendor-independent syntax for querying a directory service. Microsoft’s ADS provides robust support for LDAP.